A new wave of router-based cyberattacks has emerged in the form of a stealthy and persistent botnet campaign dubbed AyySSHush, targeting ASUS routers across the globe. First uncovered in March 2025 by GreyNoise and subsequently tracked by Censys, the botnet abuses legitimate router features to establish long-term control, making detection and remediation exceedingly difficult.
“AyySSHush… abuses trusted firmware features through a multi-stage attack sequence to backdoor routers and persist across firmware updates,” the Censys notes.
The botnet exploits ASUS’s AiProtection system, a security feature originally meant to protect users. By injecting a malicious SSH public key through official configuration interfaces, attackers can gain persistent access, surviving even firmware updates and, in some cases, factory resets.
This approach exemplifies the evolving trend of “living off the firmware” — a technique in which attackers manipulate vendor-sanctioned mechanisms to maintain stealth and resilience.
“Even users who proactively upgrade their router firmware… may remain unknowingly compromised,” warns the report.
The AyySSHush campaign follows a sophisticated multi-stage pattern:
- Initial Access: Exploits weak credentials or older authentication bypass vulnerabilities (e.g., login.cgi).
- Command Injection: Leverages CVE-2023-39780 to inject commands via the AiProtection_HomeProtection.asp feature.
- SSH Backdoor Installation: Enables SSH access on TCP/53282 and injects keys into authorized_keys.
“Since the SSH key is added via the router’s official config interface, it is retained across firmware updates.”
This strategic abuse means many compromised routers will not show signs unless administrators are actively inspecting specific files or ports. Detection is especially difficult because of the use of non-standard SSH ports like 53282, often overlooked in casual scans.
Censys reported 4,504 infected ASUS routers as of May 28, 2025, with infections spanning the U.S., Sweden, Taiwan, Singapore, and Hong Kong. Devices on residential ISPs like HINET, MobileOne, HKT, Telia, Comcast, and Charter appear most affected.
“This botnet has clearly achieved global reach across residential networks,” Censys emphasized, “likely with the aim of creating a distributed proxy infrastructure.”
The focus on residential infrastructure aligns with the botnet’s stealth strategy: residential IPs appear more trustworthy and help evade IP-based detection systems, making them ideal for residential proxy abuse and anonymized malicious activity.
Data from January to May 2025 showed significant fluctuation in infection counts:
- Steady growth early in the year (6,622 devices in Jan)
- Sudden spike in April to over 10,454 devices
- Recent drop to 4,504 devices — possibly due to security disclosures or botnet reconfiguration
“Regardless of this recent major drop, the continued presence of thousands of potentially infected hosts online indicates that this is well-established, resilient botnet infrastructure,” reads the Censys analysis.
Organizations can use Censys’s provided query to identify exposed ASUS routers on their networks by looking for TCP port 53282 and ASUS-branded devices.
Security teams are encouraged to monitor for unauthorized SSH keys, re-image routers, and consider hardware resets only after disabling persistent configuration syncing features.
